HT to @wdormann here - somebody has backdoored the open source project XZ which has downstream impacts.
For example, although OpenSSH doesn’t use XZ, Debian patch OpenSSH and introduced a dependency which translates as the XZ changes introducing a sshd authentication bypass backdoor it appears.
One dude bothered to investigate in his free time about why ssh was running slow, so it was caught fairly early - i.e. hopefully before distros started bundling it.
@GossiTheDog @wdormann I'm glad so many security people go above and beyond, but this feels like a very close one. Like terrorist cells, how many are out there that we don't know about. It's scary.
It will also kick off that old chestnut about FOSS being fundamentally insecure, a talking point gladly fueled by the big two.
